Hi,
I am experiencing a strange issue with DNS resolution between my replicas, could you please help me to figure it out?
My topology is:
rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com => rhel-ipa-newreplica.ams.ims.example.com
All three are IPA servers with DNS. And I've created two zones: "ims.example.com" and "ams.ims.example.com".
It worked fine while I had just two first IPA servers, both servers could resolve any host in any of the two zones. But now I added the third IPA server (rhel-ipa-newreplica), and that new host cannot resolve anything in the parent domain "ims.example.com"...
$ dig rhel-ipa.ims.telekom.de
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> rhel-ipa.ims.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;rhel-ipa.ims.example.com. IN A
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 14 18:02:46 CET 2019 ;; MSG SIZE rcvd: 52
What am I missing here...? As per my understanding, each IPA server should "feel" authoritative for each of the two zones, because they are replicated. So even forwarding should not take place here... Btw I tried to play with forwarder configuration, but so far - no luck.
What am I missing for this setup to work...? How to make rhel-ipa-newreplica to resolve hosts from parent domain...?
-- Regards, Dmitry Perets.
"The more one knows, the less opinions he shares" -- Wilhelm Schwebel
Responding to myself - for future reference.
I found in /var/named/data/named.run that my parent zone (ims.example.com) failed to load. Turns out I had to implement a proper delegation: in the zone "ims.example.com" I had to add A entries for "rhel-ipa-replica.ams" and "rhel-ipa-newreplica.ams". Without it, the zone "ims.example.com" was considered incomplete, so IPA servers wouldn't load it...
The fact that my 2nd replica didn't show this problem was just a co-incidence - I didn't restart DNS on it since I've defined multiple zones like this. Otherwise it would fail to load that zone either.
I've added the two missing A records, reloaded the zones, and now it works!
-- Regards, Dmitry Perets.
"The more one knows, the less opinions he shares" -- Wilhelm Schwebel
On Thu, Mar 14, 2019 at 6:11 PM Dmitry Perets dmitry.perets@gmail.com wrote:
Hi,
I am experiencing a strange issue with DNS resolution between my replicas, could you please help me to figure it out?
My topology is:
rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com => rhel-ipa-newreplica.ams.ims.example.com
All three are IPA servers with DNS. And I've created two zones: "ims.example.com" and "ams.ims.example.com".
It worked fine while I had just two first IPA servers, both servers could resolve any host in any of the two zones. But now I added the third IPA server (rhel-ipa-newreplica), and that new host cannot resolve anything in the parent domain "ims.example.com"...
$ dig rhel-ipa.ims.telekom.de
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> rhel-ipa.ims.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;rhel-ipa.ims.example.com. IN A
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 14 18:02:46 CET 2019 ;; MSG SIZE rcvd: 52
What am I missing here...? As per my understanding, each IPA server should "feel" authoritative for each of the two zones, because they are replicated. So even forwarding should not take place here... Btw I tried to play with forwarder configuration, but so far - no luck.
What am I missing for this setup to work...? How to make rhel-ipa-newreplica to resolve hosts from parent domain...?
-- Regards, Dmitry Perets.
"The more one knows, the less opinions he shares" -- Wilhelm Schwebel
freeipa-users@lists.fedorahosted.org